OWASP Agentic Security (ASI) Top 10 (2026): The Risks of Agentic AI Systems

The OWASP Agentic Top 10 (ASI01–ASI10) is the risk list for autonomous AI agents published on 9 December 2025 by the OWASP GenAI Security Project under the umbrella of the Agentic Security Initiative (ASI). It extends the established LLM Top 10 with agent-specific threats arising from autonomy, tool use, multi-agent coordination and persistent memory. The list is the reference for DACH deployers running agents in production who need to evidence their risks to audit, oversight functions and the board.

• What it is: A peer-reviewed risk register with ten agent-specific threat classes - not a control catalogue.
• Why it is needed: Agents plan, select tools, write to memory and act - which expands the attack surface beyond what the LLM Top 10 models.
• What to watch for: An older draft list from February 2025 is still circulating and causes confusion over the numbering.

Which list is which? The taxonomy trap

OWASP now publishes a whole family of overlapping AI-security artefacts. For DACH risk and procurement teams, drawing clean boundaries is essential:

• OWASP LLM Top 10 (LLM01:2025–LLM10:2025): Model and application risks of any GenAI application - conversational, RAG-based, Copilot-style or agentic.
• OWASP Agentic Top 10 (ASI01–ASI10, 2026): Risks of autonomous agents, published on 9 December 2025.
• OWASP AI Exchange, AIVSS, MCP Top 10, Agentic Skills Top 10 (AST10): complementary artefacts for the knowledge base, scoring, protocol and skill layers.

Important: a candidate list circulating in the pillar brief with "Memory Poisoning" as ASI01 stems from an OWASP working draft from February 2025 (Agentic AI Threats and Mitigations v1.0, "15 agentic threats"). This is outdated but still cited in many practitioner articles from 2025. The final list consolidates the draft threats: Memory Poisoning now sits under ASI06, HITL bypass under ASI09, and repudiation/untraceability under ASI03 plus cross-cutting logging requirements.

Why agentic systems need their own list

The LLM Top 10 was written for systems that predominantly respond: prompt in, completion out, perhaps grounded by RAG. Agentic systems, by contrast, plan, reason, select tools, write to memory and act - with minimal step-by-step human approval. OWASP sums it up like this: agentic systems inherit all LLM risks and introduce entirely new classes of vulnerability arising from autonomy, tool integration, multi-agent coordination and persistent state.

The open-source red-teaming framework DeepTeam captures the amplification effect succinctly: ASI01 (Agent Goal Hijack) = LLM01 (Prompt Injection) × LLM06 (Excessive Agency) - but with multi-step execution that multiplies the damage beyond a single response. ASI07, ASI08 and ASI10 have no LLM Top 10 counterpart at all.

The ten risks at a glance

The following table summarises the canonical list, the primary control category and the LLM Top 10 equivalent (source: OWASP, 2026).

ASI01 – Agent Goal Hijack

An attacker manipulates an agent's goals, task selection or decision paths - via prompt injection, manipulated tool outputs, malicious artefacts, forged inter-agent messages or poisoned external data. The agent does not have to be "broken"; it follows instructions it believes to be legitimate, because models cannot reliably separate instructions from data. Documented incident: EchoLeak (CVE-2025-32711, CVSS 9.3) in Microsoft 365 Copilot - the first real-world zero-click prompt injection in a production system. A crafted email bypassed the XPIA classifier and exfiltrated sensitive content without a single click (Aim Labs, June 2025).

ASI02 – Tool Misuse & Exploitation

The agent operates within its authorised rights but uses a legitimate tool unsafely: it deletes data, calls costly APIs excessively, or exfiltrates information. Distinction from ASI03: access is legitimate, usage is not. Documented: Amazon Q Code Assistant (CVE-2025-8217) - manipulated instructions in the VS Code extension would have deleted file systems and cloud resources without confirmation using --trust-all-tools --no-interactive; around one million developers had installed the extension.

ASI03 – Identity & Privilege Abuse

Agents operate with far-reaching rights. If an agent is compromised, the attacker inherits its permissions. Privilege inheritance is the dominant systemic risk, because agent identities are poorly modelled in human-centric IAM systems. The recommendation is to treat every agent as a first-class non-human identity (NHI) - with primitives such as Microsoft Entra Agent ID (GA 2025, as of 2026), AWS IAM agent roles and short-lived credentials.

ASI04 – Agentic Supply Chain Vulnerabilities

Unlike LLM03 (static supply chain: training data, base model, build-time libraries), ASI04 covers what agents load dynamically at runtime: MCP servers, plugins, external tools, agent cards, sub-agents. Documented: postmark-mcp (Koi Security, September 2025) - the first malicious MCP server in the wild; every message sent was secretly copied to the attacker, with 1,643 downloads before removal. Countermeasure: an "agentic SBOM" (AIBOM) and trusted-registry enforcement.

ASI05 – Unexpected Code Execution

Many agents generate and execute code as a feature. SecOps Group documented over 30 CVEs on major AI coding platforms in December 2025 alone. Example: CurXecute (CVE-2025-54135) - a poisoned prompt from a public Slack message could rewrite ~/.cursor/mcp.json and execute attacker commands every time Cursor started. Control: isolated, ephemeral sandboxes (gVisor, Firecracker), command allow-lists, no auto-approve.

ASI06 – Memory & Context Poisoning

Agents hold persistent memory - history, preferences, learned context, RAG stores. A single successful injection can poison the memory permanently; every future session inherits the compromise. Documented: the Google Gemini memory attack (Johann Rehberger, February 2025) with "delayed tool invocation" and the Lakera research (November 2025), in which compromised agents developed persistent false beliefs and defended them against human challenges - sleeper-agent behaviour.

ASI07 – Insecure Inter-Agent Communication

Multi-agent systems coordinate via messages. Without strong authentication, integrity and policy, false information can be injected, because messages are in natural language and trust is implicit. Documented: agent session smuggling in the A2A protocol (Palo Alto Unit 42, November 2025) - a sustained social-engineering campaign of agent against agent rather than a single shot. Control: mTLS, cryptographically signed AgentCards, an explicit collaboration graph.

ASI08 – Cascading Failures

In networked multi-agent workflows, errors compound. A compromised agent poisons every agent it communicates with. Documented: the Galileo AI research (December 2025) - in simulated systems, a single compromised agent poisoned 87% of downstream decisions within 4 hours. Control: circuit breakers, defined blast-radius caps, bulkheads, automatic kill switches.

ASI09 – Human-Agent Trust Exploitation

Agents produce polished, authoritative-sounding outputs; people tend to "wave them through". The oversight layer, which is supposed to be a security control, becomes the vulnerability (automation bias). Maps directly onto EU AI Act Art. 14. Control: HITL gates that enforce independent verification of the evidence, a force-engagement UI instead of a mere "approve" button.

ASI10 – Rogue Agents

The most extreme manifestation: an agent that deviates fundamentally from its intended function - through accumulated memory poisoning, supply-chain compromise or emergent misalignment. OWASP cites the "Replit meltdown" (mid-2025) as an example. To communicate honestly: a fully documented "rogue agent in production" at a large enterprise was not confirmed as of the research date (May 2026) - it is frontier-research and red-team territory. Control: continuous behavioural baselines, canary tasks, mandatory kill switches.

A concrete example: the procurement cascade

A documented incident vividly connects ASI08 and ASI09: a procurement agent was gradually convinced over three weeks that its authorisation limit was USD 500,000. The attacker then placed USD 5 million in ten fraudulent orders. Each individual step was plausible (boiling-frog pattern, ASI06 memory drift), the human approvers trusted the agent's growing claim to authority (ASI09), and the effect cascaded through downstream pricing and compliance agents (ASI08). The lesson: damage limitation requires idempotency tokens on critical actions, hard blast-radius caps and HITL gates with independent evidence verification - not just trust in the agent's recommendation.

Mapping to the DACH compliance framework

The Agentic Top 10 is a risk register, not a control catalogue. It sits on top of classic standards such as ASVS and the API Security Top 10, not in their place. Complementing it, MAESTRO (Cloud Security Alliance) provides the architecture map, MITRE ATLAS (version 5.1.0, November 2025, as of 2026) the attacker playbook, and AIVSS (version 0.8, March 2026; version 1.0 expected by end of 2026) the scoring with agentic amplification factors. EU AI Act Art. 15 (cybersecurity, robustness) and Art. 14 (human oversight) conceptually cover many ASI risks, but leave agent-specific gaps - such as indirect injection or multi-agent cascades - with the deployer. GDPR Art. 32 applies to integrity and confidentiality; ISO 42001, NIS2 and DORA flank financial and critical-infrastructure contexts.

For agencies and B2B decision-makers

Anyone designing AI agents for clients or running them in-house should anchor ASI01–ASI10 as a mandatory checklist in the pitch, the architecture and the operations handbook - not as a security silo, but integrated into IAM, logging and approval processes. For DACH B2B, that means concretely: every agent identity as an NHI with short-lived credentials, auto-approve off by default, memory provenance and tenant isolation, kill switches in every production environment, and quarterly red-teaming. As a Vienna-based agency, Blck Alpaca helps turn this threat register into an auditable risk register that holds up before audit, oversight functions and the board.